1 /* Unix NT password database implementation, version 0.6.
3 * This program is free software; you can redistribute it and/or modify it under
4 * the terms of the GNU General Public License as published by the Free
5 * Software Foundation; either version 3 of the License, or (at your option)
8 * This program is distributed in the hope that it will be useful, but WITHOUT
9 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
13 * You should have received a copy of the GNU General Public License along with
14 * this program; if not, see <http://www.gnu.org/licenses/>.
23 #define _pam_overwrite(x) \
25 register char *__xx__; \
32 * Don't just free it, forget it too.
35 #define _pam_drop(X) \
43 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
47 for (reply_i=0; reply_i<replies; ++reply_i) { \
48 if (reply[reply_i].resp) { \
49 _pam_overwrite(reply[reply_i].resp); \
50 free(reply[reply_i].resp); \
58 int converse(pam_handle_t *, int, int, struct pam_message **,
59 struct pam_response **);
60 int make_remark(pam_handle_t *, unsigned int, int, const char *);
61 void _cleanup(pam_handle_t *, void *, int);
62 char *_pam_delete(register char *);
64 /* default configuration file location */
66 const char *servicesf = get_dyn_CONFIGFILE();
68 /* syslogging function for errors and other information */
70 void _log_err( int err, const char *format, ... )
74 va_start( args, format );
75 openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH );
76 vsyslog( err, format, args );
81 /* this is a front-end for module-application conversations */
83 int converse( pam_handle_t * pamh, int ctrl, int nargs
84 , struct pam_message **message
85 , struct pam_response **response )
88 struct pam_conv *conv;
90 retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
91 if (retval == PAM_SUCCESS) {
93 retval = conv->conv(nargs, (const struct pam_message **) message
94 ,response, conv->appdata_ptr);
96 if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
97 _log_err(LOG_DEBUG, "conversation failure [%s]"
98 ,pam_strerror(pamh, retval));
101 _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
102 ,pam_strerror(pamh, retval));
105 return retval; /* propagate error status */
108 int make_remark( pam_handle_t * pamh, unsigned int ctrl
109 , int type, const char *text )
111 if (off(SMB__QUIET, ctrl)) {
112 struct pam_message *pmsg[1], msg[1];
113 struct pam_response *resp;
116 msg[0].msg = CONST_DISCARD(char *, text);
117 msg[0].msg_style = type;
120 return converse(pamh, ctrl, 1, pmsg, &resp);
126 /* set the control flags for the SMB module. */
128 int set_ctrl( int flags, int argc, const char **argv )
131 const char *service_file = get_dyn_CONFIGFILE();
134 ctrl = SMB_DEFAULTS; /* the default selection of options */
136 /* set some flags manually */
138 /* A good, sane default (matches Samba's behavior). */
139 set( SMB__NONULL, ctrl );
141 /* initialize service file location */
142 service_file=servicesf;
144 if (flags & PAM_SILENT) {
145 set( SMB__QUIET, ctrl );
148 /* Run through the arguments once, looking for an alternate smb config
153 for (j = 0; j < SMB_CTRLS_; ++j) {
154 if (smb_args[j].token
155 && !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token)))
161 if (j == SMB_CONF_FILE) {
162 service_file = argv[i] + 8;
167 /* Read some options from the Samba config. Can be overridden by
169 if(lp_load(service_file,True,False,False,True) == False) {
170 _log_err( LOG_ERR, "Error loading service file %s", service_file );
175 if (lp_null_passwords()) {
176 set( SMB__NULLOK, ctrl );
179 /* now parse the rest of the arguments to this module */
184 for (j = 0; j < SMB_CTRLS_; ++j) {
185 if (smb_args[j].token
186 && !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token)))
192 if (j >= SMB_CTRLS_) {
193 _log_err( LOG_ERR, "unrecognized option [%s]", *argv );
195 ctrl &= smb_args[j].mask; /* for turning things off */
196 ctrl |= smb_args[j].flag; /* for turning things on */
199 ++argv; /* step to next argument */
202 /* auditing is a more sensitive version of debug */
204 if (on( SMB_AUDIT, ctrl )) {
205 set( SMB_DEBUG, ctrl );
207 /* return the set of flags */
212 /* use this to free strings. ESPECIALLY password strings */
214 char * _pam_delete( register char *xx )
216 _pam_overwrite( xx );
221 void _cleanup( pam_handle_t * pamh, void *x, int error_status )
223 x = _pam_delete( (char *) x );
228 * Safe duplication of character strings. "Paranoid"; don't leave
229 * evidence of old token around for later stack analysis.
232 char * smbpXstrDup( const char *x )
234 register char *newstr = NULL;
239 for (i = 0; x[i]; ++i); /* length of string */
240 if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) {
242 _log_err( LOG_CRIT, "out of memory in smbpXstrDup" );
250 return newstr; /* return the duplicate or NULL on error */
253 /* ************************************************************** *
254 * Useful non-trivial functions *
255 * ************************************************************** */
257 void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
260 const char *service = NULL;
261 struct _pam_failed_auth *failure;
263 #ifdef PAM_DATA_SILENT
264 quiet = err & PAM_DATA_SILENT; /* should we log something? */
268 #ifdef PAM_DATA_REPLACE
269 err &= PAM_DATA_REPLACE; /* are we just replacing data? */
271 failure = (struct _pam_failed_auth *) fl;
273 if (failure != NULL) {
275 #ifdef PAM_DATA_SILENT
276 if (!quiet && !err) { /* under advisement from Sun,may go away */
278 if (!quiet) { /* under advisement from Sun,may go away */
281 /* log the number of authentication failures */
282 if (failure->count != 0) {
283 pam_get_item( pamh, PAM_SERVICE, (const void **) &service );
285 , "%d authentication %s "
286 "from %s for service %s as %s(%d)"
288 , failure->count == 1 ? "failure" : "failures"
290 , service == NULL ? "**unknown**" : service
291 , failure->user, failure->id );
292 if (failure->count > SMB_MAX_RETRIES) {
294 , "service(%s) ignoring max retries; %d > %d"
295 , service == NULL ? "**unknown**" : service
301 _pam_delete( failure->agent ); /* tidy up */
302 _pam_delete( failure->user ); /* tidy up */
303 SAFE_FREE( failure );
307 int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
308 const char *p, unsigned int ctrl )
312 int retval = PAM_AUTH_ERR;
319 name = pdb_get_username(sampass);
321 #ifdef HAVE_PAM_FAIL_DELAY
322 if (off( SMB_NODELAY, ctrl )) {
323 (void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */
327 if (!pdb_get_lanman_passwd(sampass))
329 _log_err( LOG_DEBUG, "user %s has null SMB password"
332 if (off( SMB__NONULL, ctrl )
333 && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
334 { /* this means we've succeeded */
339 pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
340 _log_err( LOG_NOTICE, "failed auth request by %s for service %s as %s",
341 uidtoname(getuid()), service ? service : "**unknown**", name);
346 data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name ));
347 if (data_name == NULL) {
348 _log_err( LOG_CRIT, "no memory for data-name" );
350 strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
351 strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 );
354 * The password we were given wasn't an encrypted password, or it
355 * didn't match the one we have. We encrypt the password now and try
359 nt_lm_owf_gen(p, nt_pw, lm_pw);
361 /* the moment of truth -- do we agree with the password? */
363 if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) {
365 retval = PAM_SUCCESS;
366 if (data_name) { /* reset failures */
367 pam_set_data(pamh, data_name, NULL, _cleanup_failures);
373 pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
375 if (data_name != NULL) {
376 struct _pam_failed_auth *newauth = NULL;
377 const struct _pam_failed_auth *old = NULL;
379 /* get a failure recorder */
381 newauth = SMB_MALLOC_P( struct _pam_failed_auth );
383 if (newauth != NULL) {
385 /* any previous failures for this user ? */
386 pam_get_data(pamh, data_name, (const void **) &old);
389 newauth->count = old->count + 1;
390 if (newauth->count >= SMB_MAX_RETRIES) {
391 retval = PAM_MAXTRIES;
395 "failed auth request by %s for service %s as %s",
397 service ? service : "**unknown**", name);
400 if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) {
402 "failed auth request by %s for service %s as %s",
404 service ? service : "**unknown**", name);
406 newauth->user = smbpXstrDup( name );
407 newauth->agent = smbpXstrDup( uidtoname( getuid() ) );
408 pam_set_data( pamh, data_name, newauth, _cleanup_failures );
411 _log_err( LOG_CRIT, "no memory for failure recorder" );
413 "failed auth request by %s for service %s as %s(%d)",
415 service ? service : "**unknown**", name);
419 "failed auth request by %s for service %s as %s(%d)",
421 service ? service : "**unknown**", name);
422 retval = PAM_AUTH_ERR;
426 _pam_delete( data_name );
433 * _smb_blankpasswd() is a quick check for a blank password
435 * returns TRUE if user does not have a password
436 * - to avoid prompting for one in such cases (CG)
439 int _smb_blankpasswd( unsigned int ctrl, struct samu *sampass )
444 * This function does not have to be too smart if something goes
445 * wrong, return FALSE and let this case to be treated somewhere
449 if (on( SMB__NONULL, ctrl ))
450 return 0; /* will fail but don't let on yet */
452 if (pdb_get_lanman_passwd(sampass) == NULL)
461 * obtain a password from the user
464 int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
465 const char *comment, const char *prompt1,
466 const char *prompt2, const char *data_name, char **pass )
473 struct pam_message msg[3], *pmsg[3];
474 struct pam_response *resp;
478 /* make sure nothing inappropriate gets returned */
480 *pass = token = NULL;
482 /* which authentication token are we getting? */
484 authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
486 /* should we obtain the password from a PAM item ? */
488 if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) {
489 retval = pam_get_item( pamh, authtok_flag, (const void **) &item );
490 if (retval != PAM_SUCCESS) {
493 , "pam_get_item returned error to smb_read_password" );
495 } else if (item != NULL) { /* we have a password! */
499 } else if (on( SMB_USE_FIRST_PASS, ctrl )) {
500 return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
501 } else if (on( SMB_USE_AUTHTOK, ctrl )
502 && off( SMB__OLD_PASSWD, ctrl ))
504 return PAM_AUTHTOK_RECOVER_ERR;
509 * getting here implies we will have to get the password from the
513 /* prepare to converse */
514 if (comment != NULL && off(SMB__QUIET, ctrl)) {
516 msg[0].msg_style = PAM_TEXT_INFO;
517 msg[0].msg = CONST_DISCARD(char *, comment);
524 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
525 msg[i++].msg = CONST_DISCARD(char *, prompt1);
527 if (prompt2 != NULL) {
529 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
530 msg[i++].msg = CONST_DISCARD(char *, prompt2);
537 retval = converse( pamh, ctrl, i, pmsg, &resp );
540 int j = comment ? 1 : 0;
541 /* interpret the response */
543 if (retval == PAM_SUCCESS) { /* a good conversation */
545 token = smbpXstrDup(resp[j++].resp);
548 /* verify that password entered correctly */
549 if (!resp[j].resp || strcmp( token, resp[j].resp )) {
550 _pam_delete( token );
551 retval = PAM_AUTHTOK_RECOVER_ERR;
552 make_remark( pamh, ctrl, PAM_ERROR_MSG
557 _log_err(LOG_NOTICE, "could not recover authentication token");
562 _pam_drop_reply( resp, expect );
565 retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval;
568 if (retval != PAM_SUCCESS) {
569 if (on( SMB_DEBUG, ctrl ))
570 _log_err( LOG_DEBUG, "unable to obtain a password" );
573 /* 'token' is the entered password */
575 if (off( SMB_NOT_SET_PASS, ctrl )) {
577 /* we store this password as an item */
579 retval = pam_set_item( pamh, authtok_flag, (const void *)token );
580 _pam_delete( token ); /* clean it up */
581 if (retval != PAM_SUCCESS
582 || (retval = pam_get_item( pamh, authtok_flag
583 ,(const void **)&item )) != PAM_SUCCESS)
585 _log_err( LOG_CRIT, "error manipulating password" );
590 * then store it as data specific to this module. pam_end()
591 * will arrange to clean it up.
594 retval = pam_set_data( pamh, data_name, (void *) token, _cleanup );
595 if (retval != PAM_SUCCESS
596 || (retval = pam_get_data( pamh, data_name, (const void **)&item ))
599 _log_err( LOG_CRIT, "error manipulating password data [%s]"
600 , pam_strerror( pamh, retval ));
601 _pam_delete( token );
605 token = NULL; /* break link to password */
609 item = NULL; /* break link to password */
614 int _pam_smb_approve_pass(pam_handle_t * pamh,
616 const char *pass_old,
617 const char *pass_new )
620 /* Further checks should be handled through module stacking. -SRL */
621 if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
623 if (on(SMB_DEBUG, ctrl)) {
625 "passwd: bad authentication token (null or unchanged)" );
627 make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
628 "No password supplied" : "Password unchanged" );
629 return PAM_AUTHTOK_ERR;